Possible bug or at least weird behaviour while listing DRM recovery request
by Marcin Mierzejewski
after requests a key recovery with:
> public RequestId requestRecoveryPrivateKey(KeyId keyID,String base64Certificate) throws Exception
> {
> //trim header and footer from cert
> if(base64Certificate.contains(CertData.HEADER)) {
> base64Certificate = base64Certificate.substring(CertData.HEADER.length(),
> base64Certificate.indexOf(CertData.FOOTER));
> }
>
> log("Requesting X509 key recovery." + keyID);
> KeyRequestResponse response = keyClient.recoverKey(keyID, null, null, null, base64Certificate);
> RequestId requestId = response.getRequestId();
> log("ask kra admins to approve request "+requestId);
>
>
> KeyRequestInfo info = keyClient.getRequestInfo(requestId);
> log("info about request to approve");
> printRequestInfo(info);
>
> return requestId;
> }
>
>
when I try to find request by keyId
public List<KeyRequestInfo> findRecoveryRequest(KeyId keyid)
{
// String requestState,
// String requestType,
// String clientID,
// RequestId start,
// Integer pageSize,
// Integer maxResults,
// Integer maxTime)
ArrayList<KeyRequestInfo> result = new ArrayList<KeyRequestInfo>();
KeyRequestInfoCollection requests =
keyClient.listRequests(null, "recovery", null, null, 99999,
Integer.MAX_VALUE, 99999);
for (KeyRequestInfo keyRequestInfo : requests.getEntries()) {
KeyId reqKeyId = keyRequestInfo.getKeyId();
printRequestInfo(keyRequestInfo);
log("req "+keyRequestInfo.getRequestId()+" "+reqKeyId+"==" +keyid);
if(keyid.equals(keyRequestInfo.getKeyId()))
{
result.add(keyRequestInfo);
}
}
log("found " + result.size() + " requests");
return result;
}
keyClient.listRequests(null, "recovery", null, null, 99999,
Integer.MAX_VALUE, 99999);
returns collection with null KeyUrl so getKeyId returns also a null
but when I open requests with some null in KeyUrl in agent
(https://localhost.localdomain:8443/kra/agent/kra/processReq?op=processReq...)
I got all informations I need:
Request 113
> <https://localhost.localdomain:8443/kra/agent/kra/processReq?op=processReq...>
> Request Status:pending Type:recovery Created on:21/10/2015, 11:25:41 Updated
> by:kraagent Updated on:21/10/2015, 11:25:41 Recovery Information Key
> identifier:42 Recovery Initiating Agent:kraagent Recovery Approving
> Agents: Action Asynchronous Key Recovery: Grant
> <https://localhost.localdomain:8443/kra/agent/kra/grantAsyncRecovery?op=gr...>
How to get Key Identiver from keyClient?
8 years, 6 months
Dogtag profile for encryption certificate with storing private key in DRM/KRA
by Marcin Mierzejewski
Hi All,
What I want is simple profile for requesting encryption(not sign) personal
certificate that will private key be stored in KRA/DRM. I check existing
profiles and found profile that name and description meet the goals I want
to achieve.
*CaEncUserCert.cfg*
this profile was not visible I change that. I opened this profile in end
user CA application
*Certificate Profile - Manual User Encryption Certificates Enrollment *
This certificate profile is for enrolling user encryption certificates with
option to archive keys.
*Certificate Request Input *
- Certificate Request Type list ( pcks10 or crmf)
- Certificate Request (text area for request)
* Subject Name * -fields with info about user(propably should be same
values that were in certificate request)
*Requestor Information *- info about requestor
How it's possible to store private key without even sending it to CA? can
be private key enclosed into "Certificate Request"? If answer is no - as I
think why there is a "option to archieve keys"?
Marcin
8 years, 6 months
Revoking all certificates issued by Dogtag at once
by Peter P.
Hi,
I have an instance of Dogtag installed on my Fedora 22 server and I wanted
to know if there is a way to revoke all the certificates ever issued by my
Dogtag CA in one shot.
Also, is there any bound/limit to the amount of valid certificates that can
be issued by an instance of Dogtag?
Thank you,
Peter
8 years, 6 months
Dogtag jss4 dependency version
by Marcin Mierzejewski
I' m trying to build dogtag rest client but after adding jars I found in
system:
here is the list:
pki-ca.jar
pki-certsrv.jar
pki-cms.jar
pki-cmscore.jar
pki-cmsutil.jar
pki-console.jar
pki-kra.jar
pki-nsutil.jar
pki-ocsp.jar
pki-tks.jar
pki-tomcat.jar
pki-tools.jar
pki-tps.jar
I got some problem with dependencies with them(resteasy was missing) so I
resolved them with maven pom. Now i have problem with mozilla JSS lib. In
mozilla ftp(https://ftp.mozilla.org/pub/security/jss/releases/) i found
.jar and .so packages for difrent versions(from 3.0 to 4.3 ) but after
checking all of them none of them have inner class SSLVersionRange in
SSLSocket(check stacktrace bellow).
So i checked what is dogtag source package dependecies and all i found in
CMakeLists.txt is that dogtag is build with jss4.jar
*So, my question is what exact version of JSS is dogtag using and where I
can get it? *
Exception in thread "main" java.lang.NoClassDefFoundError:
org/mozilla/jss/ssl/SSLSocket$SSLVersionRange
at
com.netscape.certsrv.client.PKIConnection$JSSProtocolSocketFactory.connectSocket(PKIConnection.java:333)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at
org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:283)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:436)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:64)
at com.sun.proxy.$Proxy37.listProfiles(Unknown Source)
at
com.netscape.certsrv.profile.ProfileClient.listProfiles(ProfileClient.java:59)
at com.company.CATest.test(CATest.java:93)
at com.company.Main.main(Main.java:15)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:140)
8 years, 6 months
